Configuring Token exchange and NativeApp SSO

Overview

OAuth2.0 Token Exchange enables client applications to request and obtain security tokens (such as access tokens) from an authorization server acting as a Security Token Service (STS).

Configuring provider.yml

  • The definition configuration defines a new grant_type urn:ietf:params:oauth:grant-type:token-exchange.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
version: 24.06
logging:
  level: debug
definition:
  id: 1
  name: OIDC Definition
  grant_types:
    - authorization_code
    - password
    - client_credentials
    - implicit
    - refresh_token
    - urn:ietf:params:oauth:grant-type:token-exchange     
  pre_mappingrule_id: isvaop_pretoken                       # Pre-Token mapping rule ID.
  post_mappingrule_id: isvaop_posttoken  
  base_url: https://isvaop.ibm.com:445/isvaop
  token_settings:                                           # Token Settings
    issuer: https://isvaop.ibm.com                          # OP's issuer URI.
    signing_alg: PS256                                      # Signing algorithm for ID token generated.
    signing_keystore: isvaop_signing                        # Signing keystore name.
    signing_keylabel: jwtsigning                            # Signing key label.
  attribute_map:                                            # Attribute mapping to resolve claims. also refer to attributesources.yml
    surname: surname  
server:
  ssl:
    key: ks:isvaop_keys/httpserverkey
    certificate: ks:isvaop_keys/httpservercert
jwks:
  signing_keystore: isvaop_signing
secrets:
  obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
  enc_key: "@keys/private.pem"

Configuring mapping rule

  • A new mapping rule called idmap.js needs to be created.
  • This mapping rule can be used to validate the subject or sub of the incoming token during token exchange.
  • Validation can be done by contacting an LDAP to check for the existence of the subject or sub.
/**
 * Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
 */
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);

IDMappingExtUtils.traceString("Entering idmap mapping rule")
IDMappingExtUtils.traceString("sub : " + stsuu.getPrincipalName());

let sub = stsuu.getPrincipalName();
IDMappingExtUtils.traceString("iss: " + stsuu.getAttributeContainer().getAttributeValueByName("iss"));
IDMappingExtUtils.traceString("exp: " + stsuu.getAttributeContainer().getAttributeValueByName("exp"));

//Initializing an ldap connection to search for the sub
var userLookupHelper = new UserLookupHelper("ldap_test_cfg_01");
IDMappingExtUtils.traceString("sub validation for : " + sub);

if(userLookupHelper.isReady()){
    var user = userLookupHelper.getUser(sub);
    if(user.getId() == null){
        IDMappingExtUtils.traceString("sub validation failed for : " + sub);
    }
    else{
        IDMappingExtUtils.traceString("sub validation succeded for : " + sub);
    }
}
IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());

Configuring storage.yml

  • Based on the above mapping rule, the LDAP connection is referenced by the UserLookupHelper usingldap_connection.
  • Update the ldapcfg configuration and the LDAP connection details in storage.yml.
...
server_connections:                                         # Server connections
  - name: ldap_srvconn                                      # Connection name
    type: ldap                                              # Connection type
    hosts:                                                  # List of host information (IP and port)
      - hostname: openldap                                  # Server's hostname
        hostport: 636                                       # Server's host port
        credential:                                         # Credential information to connect to the host.
          bind_dn: cn=root,secAuthority=Default             # Specifies the binding credential for the LDAP server connection.
          bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs=" 
                                                            # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
      max_pool_size: 50                                     # Maximum connection pool size.
      connect_timeout: 3                                    # Connect timeout, in seconds.
      aged_timeout: 5                                       # Aged timeout, in seconds.

ldapcfg:
  - name: ldap_test_cfg_01
    scope: subtree
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword
    srv_conn: ldap_srvconn
    attribute: uid
    baseDN: dc=ibm,dc=com

Configuring the static client

  • Configure two clients.
  • One client that generates token.
  • Another client that wants to exchange the token for a different token.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
clients:  
  - client_id: clientTokenExchange
    client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA="                                            # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
    client_name: clientTokenExchange                                                                 # Name of the client.
    client_id_issued_at: 1642399207                                                                             # Timestamp (in seconds) from when the client is created.
    enabled: true                                                                                               # Set to `true` to enable this client
    grant_types:                                                                                                # Grant type that the client is allowed to use at the token endpoint.
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
      - urn:ietf:params:oauth:grant-type:token-exchange 
    response_types:                                                                                             # Response type that the client is allowed to use at the authorization endpoint.
      - code id_token
      - code
      - code token
      - none
      - code token id_token
    redirect_uris:                                                                                              # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
      - https://www.rp.com/redirect
    request_uris:                                                                                               # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
      - https://www.rp.com/request/test.jwt
    scopes:                                                                                                     # A list of scope values that the client can use when requesting access tokens.
      - cdr:registration
      - openid
      - profile
    jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks                                                    
    id_token_signed_response_alg: PS512                                                                         
    token_endpoint_auth_method: client_secret_post                                                               
    token_exchange_settings: 
      client_groups:
        - benefits
        - insurance
      supported_subject_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
      supported_actor_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
      supported_requested_token_types: 
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token

  - client_id: tokenGenerated
    client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA="                                            # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
    client_name: tokenGenerated                                                                 # Name of the client.
    client_id_issued_at: 1642399207                                                                             # Timestamp (in seconds) from when the client is created.
    enabled: true                                                                                               # Set to `true` to enable this client
    grant_types:                                                                                                # Grant type that the client is allowed to use at the token endpoint.
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
      - urn:ietf:params:oauth:grant-type:token-exchange 
    response_types:                                                                                             # Response type that the client is allowed to use at the authorization endpoint.
      - code id_token
      - code
      - code token
      - none
      - code token id_token
    redirect_uris:                                                                                              # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
      - https://www.rp.com/redirect
    request_uris:                                                                                               # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
      - https://www.rp.com/request/test.jwt
    scopes:                                                                                                     # A list of scope values that the client can use when requesting access tokens.
      - cdr:registration
      - openid
      - profile
    jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks                                                    
    id_token_signed_response_alg: PS512                                                                         
    token_endpoint_auth_method: client_secret_post                                                               
    token_exchange_settings: 
      client_groups:
        - benefits
        - insurance
      supported_subject_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
      supported_actor_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
      supported_requested_token_types: 
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token        
  • client_groups - Clients are logically grouper using client_groups configuration. Clients belonging to the same client_group can exchange tokens generated with another client belonging to the same group.

Token exchange request example

--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=clientTokenExchange' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=_RFAfJNeB6H30IfDW1udc271ytq5BG5WwFSTvacNG1g.Oyr-LMYFrGXn9NrLPcTKOvAisGRGYUbtoyLkyD-BZCfNSgbW-EnWpAzRHZXTzMioGK2e9HcM0668nXATCStHWg' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'actor_token=JFQu9BDahuciIVICnLcmTkeMJeng92p38IKD--fsYmo._-ZQpBn6FP-BxraacU0snZdlm4ndnIBPmRHZcWixnleUmJfDhxladSAJMKLidW9-QX4DC1KwsPvX_f16_Keh8g' \
--data-urlencode 'actor_token_type=urn:ietf:params:oauth:token-type:access_token'

NativeApp SSO configuration

Native App SSO is a specification that allows sharing of identity across multiple mobile applications. Native App SSO is not based on session cookie, it extends the OAuth 2.0 Token Exchange specification to share identity (SSO) between apps produced and signed by the same vendor.

Configuring provider.yml

  • The definition configuration defines a new grant_type urn:ietf:params:oauth:grant-type:token-exchange.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
version: 24.06
logging:
  level: debug
definition:
  id: 1
  name: OIDC Definition
  grant_types:
    - authorization_code
    - password
    - client_credentials
    - implicit
    - refresh_token
    - urn:ietf:params:oauth:grant-type:token-exchange     
  pre_mappingrule_id: isvaop_pretoken                       # Pre-Token mapping rule ID.
  post_mappingrule_id: isvaop_posttoken  
  base_url: https://isvaop.ibm.com:445/isvaop
  token_settings:                                           # Token Settings
    issuer: https://isvaop.ibm.com                          # OP's issuer URI.
    signing_alg: PS256                                      # Signing algorithm for ID token generated.
    signing_keystore: isvaop_signing                        # Signing keystore name.
    signing_keylabel: jwtsigning                            # Signing key label.
  attribute_map:                                            # Attribute mapping to resolve claims. also refer to attributesources.yml
    surname: surname  
server:
  ssl:
    key: ks:isvaop_keys/httpserverkey
    certificate: ks:isvaop_keys/httpservercert
jwks:
  signing_keystore: isvaop_signing
secrets:
  obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
  enc_key: "@keys/private.pem"

Configuring mapping rule

  • A new mapping rule called idmap.js needs to be created.
  • This mapping rule can be used to validate the subject or sub of the incoming token during token exchange.
  • Validation can be done by contacting an LDAP to check for the existence of the subject or sub.
/**
 * Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
 */
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);

IDMappingExtUtils.traceString("Entering idmap mapping rule")
IDMappingExtUtils.traceString("sub : " + stsuu.getPrincipalName());

let sub = stsuu.getPrincipalName();
IDMappingExtUtils.traceString("iss: " + stsuu.getAttributeContainer().getAttributeValueByName("iss"));
IDMappingExtUtils.traceString("exp: " + stsuu.getAttributeContainer().getAttributeValueByName("exp"));

//Initializing an ldap connection to search for the sub
var userLookupHelper = new UserLookupHelper("ldap_test_cfg_01");
IDMappingExtUtils.traceString("sub validation for : " + sub);

if(userLookupHelper.isReady()){
    var user = userLookupHelper.getUser(sub);
    if(user.getId() == null){
        IDMappingExtUtils.traceString("sub validation failed for : " + sub);
    }
    else{
        IDMappingExtUtils.traceString("sub validation succeded for : " + sub);
    }
}
IDMappingExtUtils.traceString("STSUU: " + stsuu.toString());

Configuring storage.yml

  • Based on the above mapping rule, the LDAP connection is referenced by the UserLookupHelper usingldap_connection.
  • Update the ldapcfg configuration and the LDAP connection details in storage.yml.
...
server_connections:                                         # Server connections
  - name: ldap_srvconn                                      # Connection name
    type: ldap                                              # Connection type
    hosts:                                                  # List of host information (IP and port)
      - hostname: openldap                                  # Server's hostname
        hostport: 636                                       # Server's host port
        credential:                                         # Credential information to connect to the host.
          bind_dn: cn=root,secAuthority=Default             # Specifies the binding credential for the LDAP server connection.
          bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs=" 
                                                            # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
      max_pool_size: 50                                     # Maximum connection pool size.
      connect_timeout: 3                                    # Connect timeout, in seconds.
      aged_timeout: 5                                       # Aged timeout, in seconds.

ldapcfg:
  - name: ldap_test_cfg_01
    scope: subtree
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword
    srv_conn: ldap_srvconn
    attribute: uid
    baseDN: dc=ibm,dc=com

Configuring the static client

  • Configure two clients.
  • One client that generates token.
  • Another client that wants to exchange the token for a different token.
  • urn:x-oath:params:oauth:token-type:device-secret is added as a supported_actor_token_types in the client configuration
  • device_sso is added to the list of scopes supported.
# Copyright contributors to the IBM Security Verify Access OIDC Provider Resources project
clients:  
  - client_id: clientTokenExchange
    client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA="                                            # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
    client_name: clientTokenExchange                                                                 # Name of the client.
    client_id_issued_at: 1642399207                                                                             # Timestamp (in seconds) from when the client is created.
    enabled: true                                                                                               # Set to `true` to enable this client
    grant_types:                                                                                                # Grant type that the client is allowed to use at the token endpoint.
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
      - urn:ietf:params:oauth:grant-type:token-exchange 
    response_types:                                                                                             # Response type that the client is allowed to use at the authorization endpoint.
      - code id_token
      - code
      - code token
      - none
      - code token id_token
    redirect_uris:                                                                                              # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
      - https://www.rp.com/redirect
    request_uris:                                                                                               # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
      - https://www.rp.com/request/test.jwt
    scopes:                                                                                                     # A list of scope values that the client can use when requesting access tokens.
      - cdr:registration
      - openid
      - profile
    jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks                                                    
    id_token_signed_response_alg: PS512                                                                         
    token_endpoint_auth_method: client_secret_post                                                               
    token_exchange_settings: 
      client_groups:
        - benefits
        - insurance
      supported_subject_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
      supported_actor_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
        - urn:x-oath:params:oauth:token-type:device-secret
      supported_requested_token_types: 
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token

  - client_id: tokenGenerated
    client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA="                                            # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
    client_name: tokenGenerated                                                                 # Name of the client.
    client_id_issued_at: 1642399207                                                                             # Timestamp (in seconds) from when the client is created.
    enabled: true                                                                                               # Set to `true` to enable this client
    grant_types:                                                                                                # Grant type that the client is allowed to use at the token endpoint.
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
      - urn:ietf:params:oauth:grant-type:token-exchange 
    response_types:                                                                                             # Response type that the client is allowed to use at the authorization endpoint.
      - code id_token
      - code
      - code token
      - none
      - code token id_token
    redirect_uris:                                                                                              # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
      - https://www.rp.com/redirect
    request_uris:                                                                                               # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
      - https://www.rp.com/request/test.jwt
    scopes:                                                                                                     # A list of scope values that the client can use when requesting access tokens.
      - cdr:registration
      - openid
      - profile
      - device_sso
    jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks                                                    
    id_token_signed_response_alg: PS512                                                                         
    token_endpoint_auth_method: client_secret_post                                                               
    token_exchange_settings: 
      client_groups:
        - benefits
        - insurance
      supported_subject_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
      supported_actor_token_types:
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token
        - urn:x-oath:params:oauth:token-type:device-secret
      supported_requested_token_types: 
        - urn:ietf:params:oauth:token-type:access_token
        - urn:ietf:params:oauth:token-type:refresh_token
        - urn:ietf:params:oauth:token-type:id_token        
  • client_groups - Clients are logically grouper using client_groups configuration. Clients belonging to the same client_group can exchange tokens generated with another client belonging to the same group.

Token exchange request example with device_secret

--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=clientTokenExchange' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=eyJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHBzZXJ2ZXJrZXkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiYXVxdDRxa3NLcXpYeEhJSXY3MFVxdyIsImF1ZCI6WyJjbGllbnQwMWRwb3AiXSwiYXV0aF90aW1lIjoxNzAyMzQ1MTY1LCJjdXN0b20xIjoiYmN1c3RvbSIsImN1c3RvbTIiOiJiY3VzdG9tIiwiZHNfaGFzaCI6InZfcDZMWjNqVDd5dFRzQkpoOWVweFEiLCJleHAiOjE3MDIzNDg3NjUsImlhdCI6MTcwMjM0NTE2NSwiaXNzIjoiaHR0cHM6Ly93d3cuaWJtLmNvbSIsImp0aSI6IjhhNGZhZGJkLTAyYjMtNDYyZi1iN2Q4LWE2ZWExMzFkNGZjYSIsInJhdCI6MTcwMjM0NTE2NCwicnRfaGFzaCI6ImVrc2duQ1NoOUhoVnAwUHN1Vnl0cWciLCJzaWQiOiIyZWQ2N2ZhYi1mNmRhLTQ5ZGMtYjAwYi0wZWNmZDliN2RmZWQiLCJzdWIiOiJwZXRlciJ9.1tdrA4CeAZoLnqSEzLXfQJGSWacyjYujKGykzjT0gW0hRIL_Gjo_LdrmI5LooaolbMLHbwFdEc2Q_XBc_TKketpcFyqOu8uyCdWCJGgtS3X_Qh2flqOd3NtKrhZbuD5CcGFi0FUQ7gaVYOgDXmFLHBk6OorDLOgBv3wPa9RTSC0JMqQ-phkRfW-08id0VtgOACUdyQqyN8DDEQamp2reHj4D4hb0bayB0My4QOGTsBukubCFUzerZNw_AJiXR4shMQvIFXe_85gZlVhzQ402pn9Sz8kMZZ6BGKwIlHlRtM6jhyFl2t-ETcY8NAmvxAUxSR6gq3DcT5pGPcsBooH2Zw' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
--data-urlencode 'actor_token=PJEef6mv4z9uxdXrns7HpEOnuhPwxPRFA46d8TjXwjQ.zUlg_vF6Ag1P9ndm8EhS7Mpyd4Jd-gMgJk357lv2yvy_N2yOaieIqO7fIh5AzASmCZ0Ujmp87obPnkYT13y-sQ' \
--data-urlencode 'actor_token_type=urn:x-oath:params:oauth:token-type:device-secret' \
--data-urlencode 'audience=https://www.ibm.com'

Revoking the device_secret

  • In the scenario where device_secret needs to be revoked (Lost device)
    • Either the device_secret and the tokens generated during the authorization code flow can be revoked
    • Or the device_secret, the tokens generated during the authorization code and the tokens generated by token exchange can be revoked
  • To revoke the device_secret and the tokens generated during the authorization code flow, here is an example of the request.
curl --location 'https://isvaop.ibm.com:445/isvaop/oauth2/revoke' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tokenGenerated' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'token=PJEef6mv4z9uxdXrns7HpEOnuhPwxPRFA46d8TjXwjQ.zUlg_vF6Ag1P9ndm8EhS7Mpyd4Jd-gMgJk357lv2yvy_N2yOaieIqO7fIh5AzASmCZ0Ujmp87obPnkYT13y-sQ'
  • To revoke the device_secret, tokens generated during the authorization code flow and tokens generated by token exchange flow, here is an example of the request.
curl --location 'https://isvaop.ibm.com:445/isvaop/oauth2/revoke' \
--header 'deleteAllTokens: true' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=tokenGenerated' \
--data-urlencode 'client_secret=asfasdfawqdewq' \
--data-urlencode 'token=PJEef6mv4z9uxdXrns7HpEOnuhPwxPRFA46d8TjXwjQ.zUlg_vF6Ag1P9ndm8EhS7Mpyd4Jd-gMgJk357lv2yvy_N2yOaieIqO7fIh5AzASmCZ0Ujmp87obPnkYT13y-sQ'